[dns-operations] What is the most pressing need for DNS these days?

Peter Dambier peter at peter-dambier.de
Tue Jun 27 23:19:21 UTC 2006


Edward Lewis wrote:
> At 21:57 +0200 6/27/06, Peter Dambier wrote:
> 
>> As Gadi keeps telling, signing in DNS is only useful for people to
>> create DoS bombs.
>>
>> I have seen RIPE signing. And I have heard people sighing because
>> of some headaches. I guess DNSSEC is not ripe yet :)
> 
> 
> I hear you, but I am not looking for more criticism of approaches 
> currently being sought. I'd also suggest that "guessing" is replaced by 
> doing something to quantify the unhappiness, such as the need for an 
> extra tool, an adjustment to the protocol, etc., and suggest doing it.
> 
> I don't mean to pick on this response, but if there's ever going to be 
> forward progress we need to identify where to do the work.
> 

You are absolutely right at picking :)

When unhappiness reached 40% people like me started building alternative
roots.

When unhappiness reached 80% it were countries who built their own
domestic roots like china, turkey and some arab countries.

I guess unhappiness was 95% when gouvernements started experimenting
with rootzones distributed via cdrom.

It is still experimenting. The rootzone is still sent as file, mostly.
But unhappiness is 95%

Unhappiness 100% will mean - who cares about the root?

We still will have 'normal' DNS within the TLDs but it will be
somebodyelse deciding whom to include and whom to exculde.

It will be somebodyelse decicing about what to do in case of collisions.

RIPE is implementing DNSSEC right now, but I am afraid many ISPs will
wait for version 3.

With a rootzone on cdrom it does not matter that the root is not signed yet.

> So - I'm asking.  What *needs* doin'?  Not to finish DNSSEC, but to 
> better the lot of DNS operators.

Live testing DNSSEC would be a good idea, so version 3 can be implemented
as quickly as possible.

The lot of DNS oerators,
that is really difficult, because the problem is not dns-operations but
ICANN. I dont know how DNS operators could implement IDN or the
inofficial TLDs.

Some resolvers could slave alternative domains but that is at the ISP
end or even at the costumer. Some ISPs do already, some news agencies
too.

If more people start building their own rootservers it might be a good idea
to mirror  ftp://ftp.rs.internic.net/domain/   or to even provide an html
version.

Kicking some silly operatingsystem builders the backside for generating
bogus queries would greatly releave DNS but again, it is not really
a problem of dns-operations and I remeber Verizon sucyessfully tried
it :)

Oh, yes, I am 99% unhappy, but dns-operations is not the culprit.
Seeing BIND 9.4.0a6 working, ISC is not either :)


# IASON ZoneCompiler version 0.0.4
# SOA(".","2006062601","A.ROOT-SERVERS.NET.","NSTLD.VERISIGN-GRS.COM.","1800","900","604800","86400").
# VRSN-END-OF-ZONE-MARKER-DUMMY-RECORD.ROOT. TXT plenus
# lines: 2457,  NS: 1451,  A: 914,  AAAA: 74,  SOA: 1, domains: 266 servers: 906

Here it is: The rootzone has 1451 NS records resulting in 914 A records
but only 74 AAAA records. That means we have to few IPv6 ready nameservers.

I am no better because I had to disable the IPv6 stack on all my machines.
Obviously I am too stupid to get my tunnel working and without an IPv6
route to the outside my nameserver will try and giveup on some nameservers
without ever trying IPv4.

I can see IPv6 has the capabilities to get us into real trouble.

;; Truncated, retrying in TCP mode.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29958
;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 7, ADDITIONAL: 3

;; QUESTION SECTION:
;io.                            IN      ANY

;; ANSWER SECTION:
io.                     604800  IN      TXT     "Access to the .IO Zone File information does not in itself convey any rights to any party to use, store, manipulate, such information without the explicit written consent of ICB plc, P.O.Box 4040, 
Christchurch, BH23 1XW, UK."
io.                     604800  IN      TXT     "v=spf1 -all"
io.                     604800  IN      TXT     "$CHOICE: ns1c.nic.ac$"
io.                     604800  IN      TXT     "$CHOICE: ns2c.nic.ac$"
io.                     604800  IN      TXT     "(c) Copyright 2004, ICB Plc - All Right Reserved"
io.                     604800  IN      TXT     "The IO zone file is protected under national and international law as a database compliation."
io.                     604800  IN      NS      b.nic.io.
io.                     604800  IN      NS      b.nic.ac.
io.                     604800  IN      NS      b.nic.sh.
io.                     604800  IN      NS      ns2.jp.io.
io.                     604800  IN      NS      ns2.uucp.ne.jp.
io.                     604800  IN      NS      ns3.icb.co.uk.
io.                     604800  IN      NS      a.nic.io.
io.                     604800  IN      MX      5 mailer1.io.
io.                     604800  IN      SOA     ns.nic.io. nicadmin.nic.io. 2006062703 43200 3600 3600000 86400
io.                     604800  IN      A       80.249.100.38

;; AUTHORITY SECTION:
io.                     604800  IN      NS      ns3.icb.co.uk.
io.                     604800  IN      NS      b.nic.sh.
io.                     604800  IN      NS      ns2.jp.io.
io.                     604800  IN      NS      ns2.uucp.ne.jp.
io.                     604800  IN      NS      a.nic.io.
io.                     604800  IN      NS      b.nic.ac.
io.                     604800  IN      NS      b.nic.io.

;; ADDITIONAL SECTION:
a.nic.io.               3600    IN      A       64.251.31.179
b.nic.io.               3600    IN      A       66.235.201.216
mailer1.io.             604800  IN      A       193.223.78.131

;; Query time: 94 msec
;; SERVER: 192.168.48.227#53(192.168.48.227)
;; WHEN: Wed Jun 28 00:53:32 2006
;; MSG SIZE  rcvd: 906


Harmless, isn't it? - How about this one?

;; Truncated, retrying in TCP mode.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26745
;; flags: qr aa rd; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 7

;; QUESTION SECTION:
;io.                            IN      ANY

;; ANSWER SECTION:
io.                     604800  IN      A       80.249.100.38
io.                     604800  IN      SOA     ns.nic.io. nicadmin.nic.io. 2006062703 43200 3600 3600000 86400
io.                     604800  IN      MX      5 mailer1.io.
io.                     604800  IN      NS      ns3.icb.co.uk.
io.                     604800  IN      NS      a.nic.io.
io.                     604800  IN      NS      b.nic.ac.
io.                     604800  IN      NS      b.nic.io.
io.                     604800  IN      NS      b.nic.sh.
io.                     604800  IN      NS      ns2.jp.io.
io.                     604800  IN      NS      ns2.uucp.ne.jp.
io.                     604800  IN      TXT     "Access to the .IO Zone File information does not in itself convey any rights to any party to use, store, manipulate, such information without the explicit written consent of ICB plc, P.O.Box 4040, 
Christchurch, BH23 1XW, UK."
io.                     604800  IN      TXT     "v=spf1 -all"
io.                     604800  IN      TXT     "$CHOICE: ns1c.nic.ac$"
io.                     604800  IN      TXT     "$CHOICE: ns2c.nic.ac$"
io.                     604800  IN      TXT     "(c) Copyright 2004, ICB Plc - All Right Reserved"
io.                     604800  IN      TXT     "The IO zone file is protected under national and international law as a database compliation."

;; ADDITIONAL SECTION:
mailer1.io.             604800  IN      A       193.223.78.131
a.nic.io.               3600    IN      A       64.251.31.179
b.nic.ac.               3600    IN      A       217.160.203.158
b.nic.io.               3600    IN      A       66.235.201.216
b.nic.sh.               3600    IN      A       216.117.156.206
ns3.icb.co.uk.          3600    IN      A       217.199.188.61
ns3.icb.co.uk.          3600    IN      AAAA    2001:628:453:430c:230:48ff:fe42:60f

;; Query time: 197 msec
;; SERVER: 64.251.31.179#53(a.nic.io)
;; WHEN: Wed Jun 28 00:54:23 2006
;; MSG SIZE  rcvd: 884


I guess they have learned it. I remeber them having a nameserver with
only an IPv6 address. Still I cannot query  ns3.icb.co.uk when my
lan knows IPv6 but my router does not.

How about a separate DNS network with only IPv6 nameservers. That
implies two separate rootzone files with only IPv4 or only IPv6
addresses.

No problem, a little c-programme will do it locally, if only we had
enough IPv6 nameservers.

How about anycast?

Querying a rootserver via its IPv4 address I will most likely get
one an the same nameserver again and again. But IPv6? right now
it depends on my tunnel

It looks like IPv6 was another horse that soon will be gallopping
away. Maybe there will come routers that know how translate
between IPv6 internally and IPv4 externally. Maybe there will
be TUBA


Cheers
Peter and Karin


-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/




More information about the dns-operations mailing list